In STIX 1.2, the TestMechanism field of Indicator 'specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.'

In practice we use test mechanisms (e.g. Yara rules or Snort rules) to detect malware families or specific instances of malware, not observables.
See for example here : https://github.com/Yara-Rules/rules/tree/master/Mobile_Malware

We would then like to associate test mechanisms to TTP.

Not sure if this would require to have the test mechanism outside the indicator object.

A typical use case in our CTI workflow would be:
1-Security actor/vendor releases report on a new malware family (malwareX), incl initial Yara / Snort rules to detect the malware
2-CERT/CSIRT loads relevant data in own Threat Intell (TI) platform, incl TTP entry (malwareX) and test mechanisms entries (associated Yara / Snort rules)
3-Researchers/Community improve original Yara / Snort rules or release new rules to detect malwareX
4-CERT/CSIRT loads new rules in TI platform. TI platform auto-detects association between rules and malwareX (using malware naming convention, for example)
5-CERT/CSIRT extracts relevant rules from TI and uses in proactive hunting of the malwareX

Thanks